Easy local Windows Kernel exploitation By Cesar Cerrudo

In this paper I detail how to easily exploit some kind of windows kernel vulnerabilities. This is about 3 ..... Load and unload device drivers: allow us to load drivers.
283KB Sizes 0 Downloads 85 Views
TECHNICAL WHITE PAPER

Easy local Windows Kernel exploitation Abstract In this paper I detail how to easily exploit some kind of windows kernel vulnerabilities. This is about 3 really easy tricks that can be used in different situations depending what you want to do and what you can do. Copyright ©2012. All Rights Reserved.

By Cesar Cerrudo

Contents Introduction ............................................................................................................................................. 1 All started with a good paper.................................................................................................................... 1 Making exploitation easier ....................................................................................................................... 2 First trick ................................................................................................................................................. 3 Nulling out ACLs ............................................................................................................................... 4 Second trick ............................................................................................................................................ 4 Enabling privileges ........................................................................................................................... 6 Third trick ................................................................................................................................................ 7 Replacing process token................................................................................................................... 8 Conclusions............................................................................................................................................. 9 Thanks .................................................................................................................................................. 10 References ............................................................................................................................................ 10 Contact.................................................................................................................................................. 10

Technical White Paper

Introduction There was so many things I wanted to do when researching this, but I didn’t have enough time. I wanted to do some statistics about the amount of drivers installed in a regular PC and perform quick security audits on them, but who cares about statistics if we all know that most drivers are full of vulnerabilities and will crash the system if you stare at them for 2 seconds. There will be always vulnerabilities in kernel code. Windows kernel exploitation is still kind of dark art. There are just few papers about Windows kernel exploitation techniques and there are few public good and reliable exploits available. When talking about write “what” “where” exploitation, when you can write some controlled value to a controlled address, there are almost no generic techniques that works across different Windows versions and service pack level. Also some techniques are not reliable and/or complicated. There is no documented easy way to exploit vulnerabilities when “what” is a fixed value, it’s null, or when you can just write one or two bytes. Also no easy way to exploit when you can only increment or decrement the value on “where” or other restrictions. Basically no generic technique for hard to exploit vulnerabilities. Another common thing between most known techniques is that you always end up running code in kernel mode, this could be cool sometimes but it’s not safe and any little mistake will cause a BSOD.

All started with a good paper On January 2010 Matthew “j00ru” Jurczyk and Gynvael Coldwind published “GDT and LDT in Windows kernel vulnerability exploitation” [1]. This is a good paper detailing a technique for Windows